Professional Documents
Culture Documents
Patch Management
Patch Management
Patch Management
Name:
Date:
University name:
Course name:
Course number:
Professor name:
Patch Management 2
Abstract:
released after every specific period of time or it can be released during any emergency when
there is a threat of cyber-attack. In order to facilitate the prompt notification, delivery, and
installation of updates, the software industry has responded with update and patch
efforts by academic researchers are greatly restricted. At the core of the maintenance phase of
the software development life cycle are the issuance of patches (software fixes) and updates
(a collection of fixes and improvements) to resolve system faults, flaws (bugs), and security
holes in an attempt to extend the functional life of a software product. Due to the time and
effort required to assess, locate, and acquire these updates, this on-going effort is often
delayed or over-looked by users and system administrators until some urgency or incident
occurs that prompts a swift response. In recent years, software manufacturers have typically
provided access to their product updates via the Internet (i.e., website, ftp, e-mail, bulletin
boards and newsgroups). In this paper, we discuss the patch management policy designed by
three frequently used applications and we will determine their adequacy by comparing them
Introduction:
Patching, in layman’s term, is simply fixing the errors that are inadvertently
made and needs to be corrected. Modern software and applications are enormously complex
and are very difficult to make, and as a result mistakes do happen which are slowly
discovered after every time the company reviews their software or application. When these
mistakes are discovered, the developers have to go back and apply effects to correct those
Patch Management 3
mistakes. These effects are commonly known as patches. In today’s era of technology, most
people would know of this phenomenon in form of the system update pop-up that appears on
our smart phone and computers, or even in the form of messages we receive to update the
applications that we have installed. These pop-ups mean that, for some reason, the software
or application that we are provided with is faulty in some way and needs to be updated to fix
that mistake. Perhaps there was an error in the code that was released or some other kind of
issue. When that happens, the developers apply a patch where there is a mistake in the
software or application. It is of utmost importance that we install the updates as soon as they
are made available because even one faulty application can make the whole system
vulnerable. Common areas that need patches include operating systems, such as windows,
android, Linux, etc., applications that we normally use in our daily life such as zoom,
WhatsApp and Microsoft, and the vendor that frequently needs patches is the network
equipment, which includes our speakers and video camera. These equipment also use
software and needs to be patched to ensure that our devices our devices are protected from
the outside exploitation. (“What is patch management? Benefits and best practices”, 2020).
The type of vendors for patch management that will be discussed in this paper are
applications.
framework of the system. It is not only important for the security purposes but also for a
number of other key factors. Patch management revises the vulnerabilities present in our
computer and mobile software or in the applications that are prone to cyber-attacks, and
hence helping to reduce security risk. Apart from this, it ensures that the software and
applications are up-to- date and running smoothly. This continued product upgradation and
maintenance keeps the customers happy and satisfied with the application, resulting in an
economic productivity of the developer. Patch management is also an important feature for
Patch Management 4
the applications to keep in compliance with the notational legislation in place to avoid cyber-
attacks, which are becoming increasingly common in this era. Apart from fixing the bugs in
an application, patch management plays an important role in actually bringing new features
frequently used applications. These are the applications that needs to constantly up-to-date
and maintained since we used them a lot. If not routinely patched, they pose a serious security
risk to our devices. Some of the key questions that will be answered in this paper are listed
below:
1. What are the patch management policies of the three selected applications?
2. In what ways these applications address patch management and how do they
patches efficiently. This includes detecting which components in the system require a patch,
prioritizing them, and testing the patches to ensure that they are compatible with the rest of
the software projects and processes so that the software development life cycle continues
without disruption. As the number of security vulnerabilities continues to rise, it’s important
that organizations have a patch management policy in place. It helps companies map out all
the logistics involved in the patch management process so that teams can handle security
Background/ History:
that the application keeps running smoothly and the users do not face any difficulty. Patch
management policy includes how often patches are provides, the prioritization of the
availability of these patches, and the ways to test, monitor and report each of these new
patches. (Goldstein, A, 2020). Not all vulnerabilities pose a significant security risk and thus
does not require immediate patching. The developers need to look that whether the
vulnerability that is detected carries a critical danger, high danger, medium level of danger or
low level of danger. With this information, they prioritize on when the patches should be
provided to the users. (Gabriel, A, 2019). In this section of the paper, we will discuss the
patch policy of Microsoft Office, Zoom and Bizaggi modeler and their adequacy as compared
Once their patches are made available, they are not assessable by the Windows update as was
the norm previously, but instead they create the patched version of the application and puts it
on Office Content Delivery Network (CDN) on the internet. The frequency of the updates is
determined by the user instead of the developer until or unless the patches are of critical risk
to the user, in which case the updates need to be done immediately. (Microsoft 365, 2021).
The users are provided with three primary channels of update that they can use namely,
Current channel, monthly enterprise channel and semi-annual enterprise channel. The users
can use any of these channels for updates but the Microsoft app recommends the current
Patch Management 6
channel which provides the users with new Office features as soon as they are ready. The
Microsoft Office app inform the users of the newer vulnerabilities. One of those ways is the
scheduled Office automatic updates 2.0, that is mechanically created when the Microsoft
applications are installed on the device. This scheduled task is configured to look for newer
updates on a regular basis. When the task runs, it compares the Microsoft Office apps on the
users’ device with the version of Microsoft apps available on the update location. If there is a
difference found between the two versions, the update process determines which files need to
OpenOffice. They do not have any definite patch management policy in place. According to
the official website of Apache OpenOffice, they encourage the users to “privately” report all
the bugs that they encountered. It is specifically said the users are not to disclose any security
bug to general public in order to avoid any cyber-attack. Once the reporter reports the
vulnerability privately, the appropriate project’s security team works privately with the
reporter to resolve the vulnerability. A new release of the Apache package is made which
includes the patched vulnerability. After this new update is made available, then the public is
The next application that we will discuss in this section is Zoom, which is
an app used for video meeting with up to 100 applicants. According to official Zoom website,
Zoom regularly provides new versions of the zoom desktop client and mobile app to release
new features and to fix security bugs. Zoom provides a pop-up notification when there is a
new mandatory or optional update within 24 hours of logging in. If there are no mandatory
updates then the user can check for updates by opening the app, and clicking on the option
Patch Management 7
checking for updates under their profile picture. Zoom has a completely transparent patch
management policy and immediately informs the users of any new vulnerabilities.
uses cloud security as part of their patch management policy. It blocks the usage of risky and
application of Microsoft Office and hence, it has the same patch management policy as the
Microsoft Office, discussed above. The updates are available monthly and the users are
informed of those patches through the side applications of the Microsoft. The updates are
The third application that will be discussed over here is Bizaggi modeler,
which enables business and IT teams to transform any business process and deliver end-to-
end digital process automation across the organization. This application does not have any
option for update and neither there is any fixed frequency on when they apply patches to their
software. According to the Bizagi website, they take in account the comments by their users
and then release a new version of the application with a note on their website informing about
the new version. It is the users’ discretion if they want to move on to the new version or keep
using the older version. They have a policy to ensure that the customers’ data is transferred to
the new version if they move on to the latest version. The new version is easily downloadable
ProcessMaker is the alternative application of Bizagi that is discussed over here. It has a
different ways (as an Official Release, Hotfix or Patch), and each one is generated based on
product build and includes improvements to all previous official releases and hotfixes,
including; new features, improvements, bug fixes, security fixes, major changes and changes
Hotfix is a cumulative package generated over a previous Official Release and created based
on customer requests. Hotfixes are incremental and include the improvements in previous
Hotfixes and Patches. These improvements may include; new features, bug fixes, security
fixes, and changes in database schema. However, major changes (backward incompatible
changes) are not included. Hotfixes are distributed / communicated only to current customers.
A Patch is designed to update the Official Release with improvements. Patches are created
based on customer request and are released between Hotfixes. Patches are generated over
previously released Official Releases and Hotfixes, are incremental and include
improvements in previous patches. Patches are distributed only to clients that requested a
Discussion:
between the adequacy of the patch management policy of the three selected applications and
long as you follow standard security procedures. It is very important that all the install
updates and patches are installed as soon as they are released in conjunction with the timely
publicizes possible security issues with both open-source tools — allowing users to protect
themselves and hackers to potentially exploit issues. In contrast, Microsoft keeps security
issues closely guarded in an effort to prevent hackers from finding out about them. (Rivas, D,
Patch Management 9
2016) Though, the patch management policy of Microsoft is much more organized. The users
are much more aware on when to expect the next update and from where to install that
update.
management policy was put on test last year, at the start of pandemic, and zoom policy
passed the test with flying colors when it quickly fixed the privacy issue of eavesdroppers
listening in to private conversations. The patches were made available quickly and the users
were also made to install the new version if they want to continue using the app. On the other
hand, patch management policy of skype is also very fool-proof and keeps the users in loops
regarding any new vulnerability that arises. These measures from both applications keep the
customers happy and help them understand the level of risk that they are in danger of if they
do not install the latest patches. If the risk is critical, the users are unable to further use the
application without installing the patch. if the risk is high, the user is given a specific period
of time in which they have to install the patches. If the risk is medium or low, the users can
install the updates on their own discretion. Hence, both of these applications are relatively
secure and have a proper patch management policy. It is up to the users how they use them
policy. It releases new updates frequently and the user does not have to install the whole
application again in order to get those updates. They can simply install the new features only.
Apart from this frequent update schedule, the users can also ask for custom-made patches,
requesting for newer and better features. This helps them to have a flexibility in their
approach that Bizagi modeler can not afford to have. Bizagi does not offer updates but
Patch Management 10
instead releases new editions of their website, that too very infrequently. In order to have the
new features, the users have to install the whole application again. The new features can not
Conclusion:
Patch management is a task that can require a great deal of time and
resources, and it is often difficult to get an overview of your assets and applications, prioritize
patches, and even to be able to swiftly patch critical programs and systems. Companies need
to be able to manage patches as efficiently as possible, otherwise they could have a huge
belong to five companies: Software in the Public Interest (SPI), SUSE, Oracle, IBM, and
Microsoft. The most widely used third-party applications are the main target for hackers.
According to the Common Vulnerabilities and Exposures (CVE²) index, applications like
Java, Adobe, Google Chrome, Mozilla Firefox, and OpenOffice, among others, have the
specifically their IT departments, download and install patches (changes in code or data)
intended to update, optimize, or secure software, computers, servers, and systems. The aim is
Although it might seem like a simple task, most companies struggle to identify which critical
patch updates they need to install first. Therefore, prioritizing patches is key for
administrators.
There are different kinds of patches, and each of them is developed for a
specific purpose: to correct a bug or specific vulnerability. Security patches affect both
Patch Management 11
application or program in order to fix a bugs or flaws that cause vulnerabilities. Applying this
kind of patch prevents vulnerabilities from being exploited or will eliminate or mitigate the
ability of threats to exploit a vulnerability in an asset. Service Pack (SP) or Feature Pack (FP)
are other type of patches. They are important patches that comprise a collection of updates,
fixes, or feature enhancements for a piece of software. They tend to solve a lot of pending
problems, and usually include all the patches, hotfixes, maintenance and security patches
there release. This helps the user to be safe from any unauthorized access and prevents any
cyber-attacks. Not only the patches provide security updates but also provides exciting new
features of the application. Thus, patch management processes are extremely important for
References:
process-microsoft-365-apps
Zoom help center. Upgrade/ update to the latest version. Retrieved from:
https://support.zoom.us/hc/en-us/articles/201362233-Upgrade-update-to-the-latest-version
%20management%20is%20the%20process,bugs%E2%80%9D)%20in%20the%20software.
https://www.apache.org/security/
Retrieved from:
https://wiki.processmaker.com/3.0/Official_Release_Hotfix_and_Patch_Distribution_Policies
https://feedback.bizagi.com/en/topic/how-can-i-update-to-a-newer-version-of-bizagi-process-
modeler
Patch Management 13
openoffice